automad fino 1.10.9 Dashboard title cross site scripting

In automad fino 1.10.9 stata rilevata una vulnerabilità di livello problematico. Da questa vulnerabilità è interessato una funzione sconosciuta del componente Dashboard. Attraverso la manipolazione del parametro title del valore di input Home</title><script>alert("home")</script><title> di un input sconosciuto per mezzo di una vulerabilità di classe cross site scripting. L'advisory è scaricabile da github.com. Questo punto di criticità è identificato come CVE-2022-1536. Con la rete può partire l'attacco. I dettagli tecnici sono conosciuti. È stato dichiarato come proof-of-concept. L'exploit è scaricabile da github.com. Una possibile soluzione è stata pubblicata già prima e non dopo la pubblicazione della vulnerabilità.

Campo29/04/2022 14:1204/05/2022 09:2504/05/2022 09:29
nameautomadautomadautomad
version<=1.10.9<=1.10.9<=1.10.9
componentDashboardDashboardDashboard
argumenttitletitletitle
cwe79 (cross site scripting)79 (cross site scripting)79 (cross site scripting)
risk111
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prLLL
cvss3_vuldb_uiRRR
cvss3_vuldb_sUUU
cvss3_vuldb_cNNN
cvss3_vuldb_iLLL
cvss3_vuldb_aNNN
cvss3_vuldb_ePPP
cvss3_vuldb_rcRRR
urlhttps://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/automad%3C%3D1.10.9%20Stored%20Cross-Site%20Scripting(XSS).mdhttps://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/automad%3C%3D1.10.9%20Stored%20Cross-Site%20Scripting(XSS).mdhttps://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/automad%3C%3D1.10.9%20Stored%20Cross-Site%20Scripting(XSS).md
availability111
publicity111
urlhttps://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/automad%3C%3D1.10.9%20Stored%20Cross-Site%20Scripting(XSS).mdhttps://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/automad%3C%3D1.10.9%20Stored%20Cross-Site%20Scripting(XSS).mdhttps://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/automad%3C%3D1.10.9%20Stored%20Cross-Site%20Scripting(XSS).md
cveCVE-2022-1536CVE-2022-1536CVE-2022-1536
responsibleVulDBVulDBVulDB
date1651183200 (29/04/2022)1651183200 (29/04/2022)1651183200 (29/04/2022)
cvss2_vuldb_avNNN
cvss2_vuldb_acLLL
cvss2_vuldb_ciNNN
cvss2_vuldb_iiPPP
cvss2_vuldb_aiNNN
cvss2_vuldb_ePOCPOCPOC
cvss2_vuldb_rcURURUR
cvss2_vuldb_auSSS
cvss2_vuldb_rlNDNDND
cvss3_vuldb_rlXXX
cvss2_vuldb_basescore4.04.04.0
cvss2_vuldb_tempscore3.43.43.4
cvss3_vuldb_basescore3.53.53.5
cvss3_vuldb_tempscore3.23.23.2
cvss3_meta_basescore3.53.53.5
cvss3_meta_tempscore3.23.23.3
price_0day$0-$5k$0-$5k$0-$5k
input_valueHome</title><script>alert("home")</script><title>Home</title><script>alert("home")</script><title>Home</title><script>alert("home")</script><title>
cve_assigned1651183200 (29/04/2022)1651183200 (29/04/2022)
cve_nvd_summaryA vulnerability has been found in automad up to 1.10.9 and classified as problematic. This vulnerability affects the Dashboard. The manipulation of the argument title with the input Homealert("home") leads to a cross site scripting. The attack can be initiated remotely but requires an authentication. The exploit details have disclosed to the public and may be used.A vulnerability has been found in automad up to 1.10.9 and classified as problematic. This vulnerability affects the Dashboard. The manipulation of the argument title with the input Homealert("home") leads to a cross site scripting. The attack can be initiated remotely but requires an authentication. The exploit details have disclosed to the public and may be used.
cvss3_cna_avN
cvss3_cna_acL
cvss3_cna_prL
cvss3_cna_uiR
cvss3_cna_sU
cvss3_cna_cN
cvss3_cna_iL
cvss3_cna_aN
cve_cnaVulDB
cvss3_cna_basescore3.5

PrecedenteVisione D'insiemeIl prossimo

Do you want to use VulDB in your project?

Use the official API to access entries easily!